Decision Procedures for Recursive Data Structures with Integer Constraints

Transcription

1 Decision Procedures for Recursive Data Structures with Integer Constraints Ting Zhang, Henny B. Sipma, Zohar Manna Computer Science Department Stanford University Stanford, CA Abstract. This paper is concerned with the integration of recursive data structures with Presburger arithmetic. The integrated theory includes a length function on data structures, thus providing a tight coupling between the two theories, and hence the general Nelson-Oppen combination method for decision procedures is not applicable to this theory, even for the quantifier-free case. We present four decision procedures for the integrated theory depending on whether the language has infinitely many constants and whether the theory has quantifiers. Our decision procedures for quantifier-free theories are based on Oppen s algorithm for acyclic recursive data structures with infinite atom domain. 1 Introduction Recursively defined data structures are essential constructs in programming languages. Intuitively, a data structure is recursively defined if it is partially composed of smaller or simpler instances of the same structure. Examples include lists, stacks, counters, trees, records and queues. To verify programs containing recursively defined data structures we must be able to reason about these data structures. Decision procedures for several data structures exist. However, in program verification decision procedures for a single theory are usually not applicable as programming languages often involve multiple data domains, resulting in verification conditions that span multiple theories. Common examples of such mixed constraints are combinations of data structures with integer constraints on the size of those structures. In this paper we consider the integration of Presburger arithmetic with an important subclass of recursively defined data structures known as recursive data structures. This class of structures satisfies the following properties of term algebras: (i) the data domain is the set of data objects generated exclusively by applying constructors, and (ii) each data object is uniquely generated. Examples of such structures include lists, stacks, counters, trees and records; queues do not This research was supported in part by NSF grants CCR , CCR and CCR , by ARO grant DAAD , by ARPA/AF contracts F C-1693 and F C-3014, and by NAVY/ONR contract N

2 belong to this class as they are not uniquely generated: they can grow at both ends. Our language of the integrated theory has two sorts; the integer sort Z and the data (term) sort λ. Intuitively, the language is the set-theoretic union of the language of recursive data structures and the language of Presburger arithmetic plus the additional length function. : λ Z. Formulae are formed from data literals and integer literals using logical connectives and quantifications. Data literals are exactly those literals in the theory of recursive data structures. Integer literals are those that can be built up from integer variables (including the length function applied to data terms), addition and the usual arithmetic functions and relations. We present four decision procedures for different variants of the theory depending on whether the language has infinitely many atoms and whether the theory is quantifier-free. Our decision procedures for quantifier-free theories are based on Oppen s algorithm for acyclic recursive data structures with infinite atom domain [17]. When integer constraints in the input are absent, our decision procedures can be viewed as an extension of Oppen s original algorithm to cyclic structures and to the structures with finite atom domain. Related Work Our component theories are both decidable. Presburger arithmetic was first shown to be decidable in 1929 by the quantifier elimination method [6]. Efficient algorithms were later discovered by Cooper et al [4, 18]. It is well-known that recursive data structures can be modeled as term algebras which were shown to be decidable by the quantifier elimination method [13, 11, 8]. Decision procedures for the quantifier-free theory of recursive data structures were discovered by Nelson, Oppen et al [15, 17, 5]. In [17] Oppen gave a linear algorithm for acyclic structures and a quadratic algorithm was given in [15] for cyclic structures. If the values of the selector functions on atoms are specified, then the problem is NP-complete [17]. A general combination method for decision procedures for quantifier-free theories was developed by Nelson and Oppen in 1979 [14]. However, this method is not applicable to the combination of our component theories. The method requires that component theories be loosely coupled, that is, have disjoint signatures, and are stably infinite 1. The method is not applicable to tightly coupled theories such as single-sorted theories with shared signatures or, as in our case, multisorted theories with functions mapping elements in one sort to another. The integration of Presburger arithmetic with recursive data structures was discussed by Bjørner [1] and an incomplete procedure was implemented in STeP (Stanford Temporal Prover) [2]. Zarba constructed decision procedures for the combined theory of sets and integers [22] and multisets and integers [21] by extending the Nelson-Oppen combination method. Paper Organization Section 2 provides the preliminaries: it introduces the notation and terminology. Section 3 defines recursive data structures and ex- 1 A theory is stably infinite if a quantifier-free formula in the theory is satisfiable if and only if it is satisfiable in an infinite model.

3 plains Oppen s algorithm, the basis for our decision algorithm for quantifier-free theories. Section 4 introduces the combined theory of recursive data structures and Presburger arithmetic and outlines our approach for constructing the decision procedures. Sections 5-8 describe the four classes of decision procedures for the different variants of the theory in detail. Section 9 discusses complexity issues and Section 10 concludes with some ideas for future work. Because of space limitations most proofs have been omitted. They are available for reference in the extended version of this paper at tingz/papers/ijcar04 extended.pdf. 2 Preliminaries We assume the first-order syntatic notions of variables, parameters and quantifiers, and semantic notions of structures, satisfiability and validity as in [6]. A signature Σ is a set of parameters (function symbols and predicate symbols) each of which is associated with an arity. The function symbols with arity 0 are also called constants. The set of Σ-terms T (Σ, X ) is recursively defined by: (i) every constant c Σ or variable x X is a term, and (ii) if f Σ is an n-place function symbol and t 1,..., t n are terms, then f(t 1,..., t n ) is a term. An atomic formula (atom) is a formula of the form P (t 1,..., t n ) where P is an n-place predicate symbol and t 1,..., t n are terms (equality is treated as a binary predicate symbol). A literal is an atomic formula or its negation. A ground formula is a formula with no variables. A variable occurs free in a formula if it is not in the scope of a quantifier. A sentence is a formula in which no variable occurs free. A formula without quantifiers is called quantifier-free. Every quantifier-free formula can be put into disjunctive normal form, that is, a disjunction of conjunctions of literals. A Σ-structure (or Σ-interpretation) A is a tuple A, I where A is a nonempty domain and I is a function that associates each n-place function symbol f (resp. predicate symbol P ) with an n-place function f A (resp. relation P A ) on A. We usually denote A by A; Σ which is called the signature of A. We use Gothic letters (like A) for structures and Roman letters (like A) for the underlying domain. A variable valuation (or variable assignment) ν (w.r.t. A) is a function that assigns each variable an element of A. The truth value of a formula is determined when an interpretation and a variable assignment is given. A term algebra of Σ with basis X is the structure A whose domain is T (Σ, X ) and for any n-place function symbol f Σ and t 1,..., t n T (Σ, X ), f A (t 1,..., t n ) = f(t 1,..., t n ). We assume that Σ does not contain any predicate symbols except equality. Presburger arithmetic is the first-order theory of addition in the arithmetic of integers. The corresponding structure is denoted by A Z = Z; 0, +, <. A formula ϕ is satisfiable (or consistent) if it is true under some variable valuation; it is unsatisfiable (or inconsistent) otherwise. A formula ϕ is valid if it is true under every variable valuation. A formula ϕ is valid if and only if ϕ is unsatisfiable. We say that A is a model of a set T of sentences if every sentence in T is true in A. A sentence ϕ is (logically) implied by T (or T -valid), written T = ϕ, if ϕ is true in every model of T. Similarly we say that ϕ is T -satisfiable if

4 ϕ is true in some model of T and it is T -unsatisfiable otherwise. The notions of (T -)validity and (T -)satisfiability naturally extend to a set of formulae. A theory T is a set of sentences that is closed under logical implication, that is, if T = ϕ, then ϕ T. By a theory of structure A, written Th(A), we shall mean the set of all valid sentences in A. We write Th (A) for the quantifier-free fragment of Th(A). In this paper all decision procedures for quantifier-free theories are refutationbased; to determine the validity of a formula ϕ it suffices to determine the unsatisfiability of ϕ, which further reduces to determining the unsatisfiability of each disjunct in the disjunctive normal form of ϕ. Henceforth, in discussions related to quantifier-free theories, an input formula always refers to a conjunction of literals. 3 Recursive Data Structures and Oppen s Algorithm We present a general language of recursive data structures. For simplicity, we do not distinguish syntactic terms in the language from semantic terms in the corresponding interpretation. The meaning should be clear from the context. Definition 1. A recursive data structure A λ : λ; A, C, S, T consists of 1. λ: The data domain, which consists of all terms built up from constants by applying constructors. Elements in λ are called λ-terms (or data terms). 2. A: A set of atoms (constants): a, b, c, C: A finite set of constructors: α, β, γ,... The arity of α is denoted by ar(α). We say that an object is α-typed (or an α-term) if its outmost constructor is α. 4. S: A finite set of selectors. For each constructor α with arity k > 0, there are k selectors s α 1,..., s α k in S. We call sα i (1 i k) the i th α-selector. For a term x, s α i (x) returns the ith component of x if x is an α-term and x itself otherwise. 5. T : A finite set of testers. For each constructor α there is a corresponding tester Is α. For a term x, Is α (x) is true if and only if x is an α-term. In addition there is a special tester Is A such that Is A (x) is true if and only if x is an atom. Note that there is no need for individual atom testers as x = a serves as Is a (x). The theory of recursive data structures is essentially the theory of term algebras (with the empty variable basis) which is axiomatizable as follows. Proposition 1 (Axiomatization of Recursive Data Structures [8]). Let z α abbreviate z 1,..., z ar(α). The following formula schemes, in which variables are implicitly universally quantified over λ, axiomatize Th(A λ ). A. t(x) x, if t is built solely by constructors and t properly contains x. B. a b, a α(x 1..., x ar(α) ), and α(x 1..., x ar(α) ) β(y 1,..., y ar(β) ), if a and b are distinct atoms and if α and β are distinct constructors. C. α(x 1,..., x ar(α) ) = α(y 1,..., y ar(α) ) 1 i ar(α) x i = y i. D. Is α (x) z α α( z α ) = x, Is A (x) α C Is α(x).

5 E. s α i (x) = y z α( α( zα ) = x y = z i ) ) ( z α (α( z α ) x) x = y ). In general, selectors and testers can be defined by constructors and vice versa. One direction has been shown by (D) and (E), which are pure definitional axioms. Example 1. Consider the LISP list structure A List = List; cons, car, cdr where list denotes the domain, cons is the 2-place constructor (pairing function) and car and cdr are the corresponding left and right selectors (projectors) respectively. Let {car, cdr} + denote any nonempty sequence of car and cdr. The axiom schemas in Proposition 1 reduce to the following. (i) Is A (x) Is cons (x), (ii) car(cons(x, y)) = x, (iii) cdr(cons(x, y)) = y, (iv) Is A (x) {car, cdr} + (x) = x, (v) Is cons (x) cons(car(x), cdr(x)) = x. Decision Procedures for Recursive Data Structures In [17] Oppen presented a decision procedure for acyclic data structures A λ. The basic idea of the decision procedure is to generate all equalities between terms implied by asserted equalities in the formula and check for inconsistencies with the asserted disequalities in the formula. The decision procedure relies on the fact that Th(A λ ) is convex. Definition 2 (Convexity). A theory is convex if whenever a conjunction of literals implies a disjunction of atoms, it also implies one of the disjuncts. Let Φ be a conjunction of literals and Ψ a disjunction of equalities. The convexity of Th(A λ ) can be rephrased as follows: if none of the disjuncts in Ψ is implied by Φ, then Ψ is Φ-satisfiable. Hence Φ is satisfiable if and only if for any terms s and t, whenever s t Φ, Φ = s = t. The idea of Oppen s algorithm is to discover all logically implied equalities (between terms in Φ) using the DAG representation and the bidirectional closure algorithm, which we introduce below. Definition 3 (DAG Representation). A term t can be represented by a tree T t such that (i) if t is a constant or variable, then T t is a leaf vertex labeled by t, and (ii) if t is in the form α(t 1,..., t k ), then T t is the tree having the root labeled by t and having T t1,..., T tk as its subtrees. A directed acyclic graph (DAG) G t of t is obtained from T t by factoring out the common subtrees (subterms). For a vertex u, let π(u) denote the label, δ(u) the outgoing degree and u[i] (1 i δ(u)) the i th successor of u. The DAG of a formula is the DAG representing all terms in the formula. For example, Figure 1 shows the DAG for cons(y, z) = cons(cdr(x), z) cons(car(x), y) x under the assumption that x is not an atom. Definition 4 (Bidirectional Closure). Let R be a binary relation on a DAG and let u, v be any two vertices such that δ(u) = δ(v). We say that R is the unification closure of R (denoted by R ) if R is the smallest equivalence relation extending R such that π(u) = π(v) implies (u[i], v[i]) R for 1 i δ(u). We say that R is the congruence closure of R (denoted by R ) if R is the smallest equivalence relation extending R such that (u[i], v[i]) R (1 i δ(u)) implies π(u) = π(v). If R is both unification and congruence closed (w.r.t. R), we call it the bidirectional closure, denoted by R.

6 Let R be the set of all pairs asserted equal in Φ. It has been shown that R represents all equalities logically implied by Φ [17]. Therefore Φ is unsatisfiable if and only if there exists t and s such that t s Φ and (t, s) R. Algorithm 1 (Oppen s Decision Procedure for Acyclic A λ [17]). Input: Φ : q 1 = r 1... q k = r k s 1 t 1... s l t l 1. Construct the DAG G of Φ. 2. Compute the bidirectional closure R of R = {(q i, r i ) 1 i k}. 3. Return FAIL if i(s i, t i ) R ; return SUCCESS otherwise. In our setting A λ is cyclic and values of α-selectors on non α-terms are specified, e.g., s α i (x) = x if x is not an α-term. It was shown that for such structures the decision problem is NP-complete [15]. The complication is that it is not known a priori whether s(x) is a proper subterm of x and hence it is not possible to use the DAG representation directly. A solution to this problem is to guess the type information of terms occurring immediately inside selector functions before applying Algorithm 1. Definition 5 (Type Completion). Φ is a type completion of Φ if Φ is obtained from Φ by adding tester predicates such that for any term s(t) either Is α (t) (for some constructor α) or Is A (t) is present in Φ. Example 2. A possible type completion for y = car(cdr(x)) is y = car(cdr(x)) Is cons (x) Is A (cdr(x)). A type completion Φ is compatible with Φ if the satisfiability of Φ implies that Φ is satisfiable and if any solution of Φ is a solution of Φ. Obviously Φ is satisfiable if and only if it has a satisfiable compatible completion. This leads to the following nondeterministic algorithm that relies on the successful guess of a satisfiable compatible completion if such completion exists. Algorithm 2 (The Decision Procedure for Cyclic A λ ). Input: Φ. 1. Guess a type completion Φ of Φ and simplify selector terms accordingly. 2. Call Algorithm 1 on Φ. Example 3. Figure 1 shows the DAG representation of cons(y, z) = cons(cdr(x), z) cons(car(x), y) x (1) under the guess Is cons (x). Initially R = {(v 3, v 4 )} as v 3 and v 4 are asserted equal in (1). (For simplicity reflexive pairs are not listed.) By the unification algorithm (v 6, v 7 ) are merged, which gives R = {(v 3, v 4 ), (v 6, v 7 )}. Then by the congruence algorithm (v 1, v 2 ) are merged, resulting in R = {(v 1, v 2 ), (v 3, v 4 ), (v 6, v 7 )}. Obviously this branch fails as v 1 v 2 is asserted by (1). The remaining branch (with presence of Is A (x)) simplifies to Is A (x) x = y which is clearly satisfiable, and therefore so is (1).

7 v 1 v 2 v 3 v 5 v 6 v 7 v 8 v 4 v 1 : x v 5 : car(x) v 2 : cons(car(x), y) v 6 : cdr(x) v 3 : cons(cdr(x), z) v 7 : y v 4 : cons(y, z) v 8 : z Fig. 1. The DAG of (1) under the assumption Is cons(x). Note that the correctness of both Algorithm 1 and 2 relies on the (implicit) assumption that the atom domain is infinite, since otherwise the theory is not convex. As a counter example, for the structure A λ with only two atoms a and b, we have Is A (x) = x = a x = b, but neither Is A (x) = x = a nor Is A (x) = x = b. We shall see (in Section 6) that our algorithm extends Oppen s original algorithm to structures with finite atom domain. 4 The Approach for the Integrated Theory In this section we describe the different variants of the integrated theory and outline our approach for constructing the decision procedures for each of these variants. The details of each of these four decision procedures are presented in the next four sections. Definition 6. The structure of the integrated theory is B λ = (A λ ; A Z ;. : λ Z) where A λ is a recursive data structure, A Z is Presburger arithmetic, and. denotes the length function defined recursively by: (i) for any atom a, a = 1, and (ii) for a term α(t 1,..., t k ), α(t 1,..., t k ) = k i=1 t i. Notice that we have chosen a length function that does not count the intermediate vertices. However, the algorithms can easily be modified for an alternative length function. We view terms of the form t (where t is a non-ground λ-term) as (generalized) integer variables. If ν is an assignment of data variables, let ν denote the corresponding assignment of generalized integer variables. From now on, we use Φ Z (resp. Φ λ ) to denote a conjunction of integer literals (resp. a conjunction of data literals). Whenever it is clear from context, we write B for B λ. By B ω, B <ω and B =k (k > 0) we denote the structures with infinitely many atoms, with finitely many atoms and with exactly k atoms, respectively. As was mentioned before, the general purpose combination method in [14] is not directly applicable due to the presence of the length function. The following example illustrates the problem. Example 4. Consider B ω List. The constraints Φ λ : x = cons(car(y), y) and Φ Z : x < 2 car(x) are clearly satisfiable, respectively, in A List and A Z. However, since Φ λ implies that car(x) = car(y), x contains two copies of car(y) and so its length should be at least two times the length of car(x). Therefore, Φ Z Φ λ is unsatisfiable. A simple but crucial observation is that constraints of data structures impose hidden constraints on the lengths of those structures. Here we distinguish two

8 types of integer constraints; external integer constraints that occur explicitly in input formulae, and internal integer constraints that are induced by satisfying assignments for the pure data structure constraints. In the following we will show that if we can express sound and complete length constraints (in the sense defined below) in Presburger arithmetic, we can derive decision procedures by utilizing the decision procedures for Presburger arithmetic and for recursive data structures. Definition 7 (Induced Length Constraint). A length constraint Φ with respect to Φ λ is a Presburger formula in which only generalized integer variables occur free. Φ is sound if for any satisfying assignment ν λ of Φ λ, ν λ is a satisfying assignment for Φ. Φ is complete if, whenever Φ λ is satisfiable, for any satisfying assignment ν of Φ there exists a satisfying assignment ν λ of Φ λ such that ν λ = ν. We also say that Φ is realizable w.r.t. Φ λ provided that Φ λ is satisfiable. We say that Φ is induced by Φ λ if Φ is both sound and complete. Example 5. Consider the formula Φ:cons(x, y) = z. The length constraint x < z y < z is sound but it is not complete for Φ, as the integer assignment ν :{ x = 3, y = 3, z = 4} can not be realized. On the other hand, x + y = z x > 5 y > 0 is complete for Φ, but it is not sound because it does not satisfy the data assignment ν λ : {x = a, y = a, z = cons(a, a)}. Finally, x + y = z x > 0 y > 0 is both sound and complete, and hence is the induced length constraint of Φ. Main Theorem. Let Φ be in the form Φ Z Φ λ. Let Φ be the induced length constraint with respect to Φ λ. Then Φ is satisfiable in B if and only if Φ Φ Z is satisfiable in A Z and Φ λ is satisfiable in A λ. Proof. ( ) Suppose that Φ is satisfiable and let ν be a satisfying assignment. ν divides into two disjoint parts: ν λ for data variables and ν Z for integer variables. Φ λ is obviously satisfiable under ν λ. Let ν = ν λ. By soundness of Φ we know that ν satisfies Φ. Hence Φ Φ Z is satisfiable under the joint assignment of ν and ν Z. ( ) Suppose that both Φ Φ Z and Φ λ are satisfiable. Let ν be a satisfying assignment for Φ Φ Z. ν divides into two disjoint parts: ν Z for pure integer variables and ν for the generalized integer variables. By the completeness of Φ, ν can be realized by a satisfying assignment ν λ such that ν = ν λ. Hence the joint assignment ν λ ν Z ν will satisfy Φ. By the main theorem the decision problem for quantifier-free theories reduces to computing the induced length constraints in Presburger arithmetic. In the next two sections we show that this is possible for the two quantifier-free variants of our theory. 5 The Decision Procedure for Th (B ω ) The first and easiest of the four variants considered is the quantifier-free combination with an infinite atom domain. In the structure B ω the induced

9 length constraints of a formula can be derived directly from the DAG for the formula. Before we present the algorithm we define the following predicates on terms in the DAG: Tree(t) : x 1,..., x n 0 ( t = ( n i=1 (d i 1)x i ) + 1) Node α (t, t α ) : t = δ(α) ( i=1 t i Tree α (t) : t α Node α (t, t α ) ) δ(α) i=1 Tree(t i) where t α stands for t 1,..., t δ(α) and and d 1,..., d n are the distinct arities of the constructors. The predicate T ree(t) is true iff t is the length of a wellformed tree, since whenever a leaf expands one level with outgoing degree d, the length of the tree increases by d 1. The second predicate forces the length of an α-typed node with known children to be the sum of the lengths of its children. The last predicate states the length constraint for an α-typed leaf. With these predicates the construction of the induced length constraint is given by the following algorithm. Algorithm 3 (Construction of Φ in B ω ). Let Φ λ be a (type-complete) data constraint, G λ the DAG of Φ λ and R the bidirectional closure obtained by Algorithm 1. Initially set Φ =. For each term t add the following to Φ. t = 1, if t is an atom; t = s, if (t, s) R. Tree(t) if t is an untyped leaf vertex Node α (t, t α ) if t is an α-typed vertex with children t α. Tree α (t) if t is an α-typed leaf vertex. Proposition 2. Φ obtained by Algorithm 3 is expressible in a quantifier-free Presburger formula linear in the size of Φ. Theorem 1. Φ obtained by Algorithm 3 is the induced length constraint of Φ λ. Algorithm 4 (Decision Procedure for Th (B ω )). Input: Φ λ Φ Z. 1. Guess a type completion Φ λ of Φ λ. 2. Call Algorithm 1 on Φ λ. Return FAIL if Φ λ is unsatisfiable; continue otherwise. 3. Construct Φ from G λ using Algorithm 3. Return SUCCESS if Φ is satisfiable and Φ Z is satisfiable; Return FAIL otherwise. The correctness of the algorithm follows from Main Theorem and Theorem 1. Example 6. Figure 2 shows the DAG of x = cons(car(y), y) cons(car(y), y) < 2 car(x), (2) assuming that y is not an atom. The computed R is {(v 1, v 2 ), (v 3, v 5 ), (v 4, v 6 )}. By Algorithm 3 Φ includes the conjunction cons(car(y), y) = car(y) + y car(x) = car(y) cdr(x) = y which implies cons(car(y), y) 2 car(x), contradicting cons(car(y), y) < 2 car(x). If y is an atom, v 3, v 6, v 7 are merged. But still we have cons(car(y), y) 2 car(x). Therefore (2) is unsatisfiable.

10 v 1 v 2 v 3 v 4 v 5 v 6 v 7 v 1 : x v 2 : cons(car(y), y) v 3 : y v 4 : car(x) v 5 : cdr(x) v 6 : car(y) v 7 : cdr(y) Fig. 2. The DAG of (2) under the assumption Is cons(y) 6 The Decision Procedures for Th (B =k ) and Th (B <ω ) Algorithm 3 cannot be used to construct the induced length constraints in structures with a finite number of atoms, B =k, as illustrated by the following example. Example 7. Consider B =1 List (with atom a). The constraint x = 3 Is A (y) x cons(cons(y, y), y) x cons(y, cons(y, y)) (3) is unsatisfiable while Φ obtained by Algorithm 3 is y = 1 cons(y, y) = 2 cons(cons(y, y), y) = 3 cons(y, cons(y, y) = 3 which is obviously satisfiable together with x = 3. The reason is that if the atom domain is finite there are only finitely many terms of length n for any n > 0. If a term t is forced to be distinct from all of them, then t cannot have length n. Therefore Φ needs to include constraints that count the number of distinct terms of a certain length. Definition 8 (Counting Constraint). A counting constraint is a predicate CNT α k,n(x) that is true if and only if there are at least n+1 different α-terms of length x in the language with exactly k > 0 distinct atoms. CNT k,n (x) is similarly defined with α-terms replaced by λ-terms. The following two monotonicity properties are easily proven: for any l k > 0 and m n > 0, (i) CNT α k,n(x) CNT α l,n(x) and (ii) CNT α k,m(x) CNT α k,n(x). Example 8. For B =1 List, CNTcons 1,n (x) is x m where m is the least number such ( that the m-th Catalan number C m = 1 2m 2 ) m m 1 is greater than n. This is not surprising as C m gives the number of binary trees with m leaf vertices. In general we have the following result. Proposition 3. CNT α k,n(x) is expressible by a quantifier-free Presburger formula that can be computed in time O(n). In order to construct counting constraints, we need equality information between terms. Definition 9 (Equality Completion). An equality completion Φ λ of Φ λ is formula obtained from Φ λ such that for any two terms u and v in Φ λ either u = v or u v, and either u = v or u v are in Φ λ.

11 As before we present a nondeterministic algorithm; Φ is satisfiable if and only if at least one of the compatible (type and equality) completions of Φ is. By NEQ n (x 0, x 1,..., x n ) we shall mean that x 0,..., x n have the same length but are pairwise distinct. Algorithm 5 (Construction of Φ in B =k ). Input: Φ λ (type and equality complete), G λ and R. 1. Call Algorithm 3 to obtain Φ. 2. Add CNT α k,n( t ) to Φ for each t occurring in NEQ n (t, t 1,..., t n ). Proposition 4. Φ obtained by Algorithm 5 is expressible in a quantifier-free Presburger formula and the size of such a formula is linear in the size of Φ. Theorem 2. Φ obtained by Algorithm 5 is the induced length constraint of Φ λ. Algorithm 6 (Decision Procedure for Th (B =k )). Input : Φ λ Φ Z. 1. Guess a type and equality completion Φ λ of Φ λ. 2. Call Algorithm 1 on Φ λ. Return FAIL if Φ λ is unsatisfiable; continue otherwise. 3. Construct Φ from G λ using Algorithm 5. Return SUCCESS if Φ is satisfiable and Φ Z is satisfiable. Return FAIL otherwise. The correctness of Algorithm 6 follows from the Main Theorem and Theorem 2. Notice that, when Φ Z is empty, the algorithm can be viewed as an extension of Oppen s original algorithm for structures with finite atom domain. Example 9. Let us return to Example 7. Constraint (3) has exactly one compatible completion, namely NEQ 3 (x, cons(cons(y, y), y), cons(y, cons(y, y))). This results in the counting constraint x 4, contradicting x = 3. Algorithm 4 is also a decision procedure for Th (B <ω ) according to the following theorem. Theorem 3. Th (B <ω ) = Th (B ω ) in the languages with no constants. 7 The Decision Procedure for Th(B ω ) In this section and the next one we show the decidability of Th(B ω ), Th(B =k ) and Th(B <ω ) by extending the quantifier elimination procedure for the theory of term algebras [13, 11, 8] to our combined theory. A structure is said to admit quantifier elimination if any formula can be equivalently (and effectively) transformed into a quantifier-free formula. We demonstrate a procedure by which a sentence of B is reduced to a ground quantifier-free formula (i.e., with no variable occurrence) whose validity can be easily checked. Our elimination procedures induce decision procedures for quantifier-free theories as satisfiability of a quantifier-free formula is the same as validity of its existential closure. However, unfortunately, the complexity lower bound of the theory of term algebras is non-elementary [3, 7].

12 It is well-known that eliminating arbitrary quantifiers reduces to eliminating existential quantifiers from formulae in the form x(a 1 (x)... A n (x)), where A i (x) (1 i n) are literals [8]. We may also assume that these literals are not of the form x = t as x(x = t ϕ(x, ȳ)) simplifies to ϕ(t, ȳ) if x does not occur in t, and to false by Axiom (A) if t properly contains x. For our two-sorted language, we need to show how to eliminate integer quantifiers as well as data quantifiers. As before, we present nondeterministic algorithms, but now a formula is valid if and only if it is true in every existential branch. It is easy to see the soundness of transformations in the two elimination procedures presented in this section and the next one. We leave the termination proofs to the extended version of this paper. Eliminate Quantifiers on Integer Variables We assume that formulae with existential quantifiers on integer variables are in the form x : Z (Φ Z (x, ȳ, z) Φ λ ( z)), (4) where ȳ (resp. z) denotes a sequence of integer variables (resp. data variables). Since Φ λ ( z) does not contain x, we can move it out of the scope of x, and obtain x : Z (Φ Z (x, ȳ, z)) Φ λ ( z). (5) Notice that in Φ Z (x, ȳ, z), z only occurs inside generalized integer variables of the form t. Therefore x : Z(Φ Z (x, ȳ, z)) is essentially a Presburger formula and we can proceed to remove the quantifier using Cooper s method [4]. Eliminate Quantifiers on Data Variables We assume that formulae with existential quantifiers on data variables are in the form x : λ (Φ Z (x, ȳ, z) Φ λ (x, z)), (6) where ȳ (resp. z) denotes a sequence of integer variables (resp. data variables). As before in Φ Z (ȳ, x, z), x, z only occur inside integer terms. We may assume that (6) does not contain constructors (see Section 3). First we make sure that x does not appear properly inside any terms. Suppose otherwise that s(x) occurs for some selector s. As in [8], by guessing that x is α-typed, (6) becomes [ ] x, x 1,..., x ar(α) :λ Is α (x) s α i (x) = x i Φ λ (x, z) Φ Z (x, ȳ, z). (7) 1 i ar(α) We simplify (7) as follows: replace x t by 1 i ar(α) sα i (t) x i Is α (t) (which will cause disjunctive splittings), replace s α i (x) by x i, replace s β j (x) (for α β) by x and replace x by Σ ar(α) i=1 x i. After the simplification no x occurs in Φ λ and Φ Z, so we can remove 1 i ar(α) sα i (x) = x i, Is α (x) and the quantifier x. Although the transformation from (6) to (7) introduces new quantified variables, those new variables appear in smaller terms (compared with x). Hence the process will eventually terminate, producing formulae of the form x : λ ( x t i Φ λ ( z) Φ Z (x, ȳ, z) ), (8) i<n

13 where x does not appear in Φ λ ( z) and t i (i < n). (8) says that there exists an x which is not equal to any terms of t 0,... t n and whose length is constrained by Φ Z (x, ȳ, z). But in B ω for any n > 0 there are infinitely many terms of length n. It follows that i<n x t i can be ignored and thus (8) is equivalent to n : Z [ Tree(x) [ x /n ] Φ λ ( z) Φ Z (x, ȳ, z) [ x /n ]], (9) where ϕ[ x /n] stands for the formula obtained from ϕ by substituting all occurrences of x for n. Now (9) can be handled by the elimination procedure for integer quantifiers. Note that if Is α (x) is in (8) we use Tree α (x) instead of Tree(x) in (9). Also, if we had guessed that x is an atom, we would have directly arrived at (8) by substituting x for s(x), and then to (9) with n instantiated to 1. 8 The Decision Procedures for Th(B =k ) and Th(B <ω ) In B =k the reduction from (8) to (9) is not sound for the same reason as in Section 6. However, the technique (of adding counting constraints) is still applicable here. We first introduce some new notations. Definition 10 (Partitioning Formula). Let x be a data variable and S be the set of data terms {t 1,..., t n }. Let P be a partition of S and Q P. By a partitioning formula, written PART[x, S, P, Q], we shall mean NE λ [x, S] NE λ[s, P ] EQ λ [S, P ] NE Z [x, S, Q] EQ Z [x, S, Q], (10) }{{} PART [x,s,p,q] where NE λ [x, S] t S x t, NE λ[s, P ] t t, t S i P,t S j P,S i S j EQ λ [S, P ] t = t. t,t S i P NE Z [x, S, Q] EQ Z [x, S, Q] t S i Q t S i Q x t, x = t, Example 10. Let S = {t 1, t 2, t 3 }, P = {{t 1, t 2 }, {t 3 }} and Q = {{t 1, t 2 }}. Then NE λ [x, S] : x t 1 x t 2 x t 3 NE λ[s, P ] : t 1 t 3 t 2 t 3 NE Z [x, S, Q] : x t 3 EQ Z [x, S, Q] : x = t 1 x = t 2 EQ λ [S, P ] : t 1 = t 2 In fact PART[x, S, P, Q] is an equality completion of terms {x} S. Starting from (8) we guess a partition P of S = {t 1,..., t n } and a set Q P, resulting in x : λ [ ] NE λ [x, S] PART [x, S, P, Q] Φ λ ( z) Φ Z (x, ȳ, z), (11) which says that there exists an x such that (i) x is not equal to any terms in S, and (ii) S is partitioned into P equivalence classes among which there are Q

14 classes whose members have the same length as x. But this is exactly what the counting constraint CNT k, Q ( x ) states, and so we can transform (11) to [ n : Z Tree(x) [ x /n ] CNT k, Q (n) PART [x, S, P, Q] [ x /n ] ] Φ λ ( z) Φ Z ( x /n, ȳ, z). (12) Again, we are left with the known task of eliminating integer quantifiers. As before, in case of presence of Is α (x), we use Tree α (x) and CNT α k, Q (n) instead of Tree(x) and CNT k, Q (n), respectively, in (12). Example 11. Consider, in B =1 List (with atom a), x : λ(x cons(a, a) x = 2). The only compatible completion is x : λ(is cons (x) x = cons(a, a) x cons(a, a) x = 2). This produces the counting constraint CNT cons 1,1 ( x ) which is x > 2, contradicting x = 2. We can also derive a decision procedure for Th(B <ω ) using the above elimination procedure. Theorem 4. Th(B <ω ) (in the languages with no constants) is decidable. 9 Complexity In this section we briefly discuss complexity of the quantifier theories. Let n be the input size of Φ. First it is not hard to see that both Th (B ω ) and Th (B =k ) are NP-hard as they are super theories of Th (A λ ) and Th (A Z ), either of which is NP-complete. Second, Algorithm 3 computes Φ in O(n) (see Proposition 2) and so does Algorithm 5 (see Proposition 4). Third, the size of any type and equality completion of Φ is bounded by O(n 2 ) as there are at most n 2 pairs of terms. By the nondeterministic nature of our algorithms, we see that each branch of computation (in Algorithm 4 and Algorithm 6 respectively) is in P. Therefore both Th (B ω ) (or Th (B <ω )) and Th (B =k ) are NP-complete. 10 Conclusion We presented four classes of decision procedures for recursive data structures integrated with Presburger arithmetic. Our technique is based on the extraction of sound and complete integer constraints from data constraints. We believe that this technique may apply to arithmetic integration of various other theories. We plan to extend our results in two directions. The first is to reason about the combination of recursive data structures with integers in richer languages such as the theory of recursive data structures with subterm relation [20]. The second is to relax the restriction of unique construction of data objects to enable handling of structures in which a data object can be constructed in more than one way such as in the theory of queues [1, 19] and word concatenation [12]. Recently it comes to our attention that the combination of Presburger arithmetic and term algebras has been used in [9, 10] to show that quantifier-free theory of term algebras with Knuth-Bendix is NP-complete. We will compare the work with ours in the extended version of this paper.

15 References 1. Nikolaj S. Bjørner. Integrating Decision Procedures for Temporal Verification. PhD thesis, Computer Science Department, Stanford University, November Nikolaj S. Bjørner, Anca Browne, Michael Colón, Bernd Finkbeiner, Zohar Manna, Henny B. Sipma, and Tomás E. Uribe. Verifying temporal properties of reactive systems: A STeP tutorial. Formal Methods in System Design, 16(3): , June K. J. Compton and C. W. Henson. A uniform method for proving lower bounds on the computational complexity of logical theories. Annals of Pure and Applied Logic, 48:1 79, D. C. Cooper. Theorem proving in arithmetic without multiplication. In Machine Intelligence, volume 7, pages American Elsevier, J. Downey, R. Sethi, and R. E. Tarjan. Variations of the common subexpression problem. J. ACM, 27: , H. B. Enderton. A Mathematical Introduction to Logic. Academic Press, second edition, J. Ferrante and C. W. Rackoff. The Computational Complexity of Logical Theories. Springer-Verlag, Wilfrid Hodges. Model Theory. Cambridge University Press, Cambridge, UK, Konstantin Korovin and Andrei Voronkov. A decision procedure for the existential theory of term algebras with the knuth-bendix ordering. In Proc. 15th IEEE Symp. Logic in Comp. Sci., pages , Konstantin Korovin and Andrei Voronkov. Knuth-Bendix constraint solving is NP-complete. In Proceedings of 28th International Colloquium on Automata, Languages and Programming (ICALP), volume 2076 of Lecture Notes in Computer Science, pages Springer, M. J. Maher. Complete axiomatizations of the algebras of finite, rational and infinite tree. In Proceedings of the Third Annual Symposium on Logic in Computer Science, pages IEEE Computer Society Press, G. S. Makanin. The problem of solvability of equations in a free semigroup. Math. Sbornik, 103: , A. I. Mal cev. Axiomatizable classes of locally free algebras of various types. In The Metamathematics of Algebraic Systems, Collected Papers, chapter 23, pages North Holland, Greg Nelson and Derek C. Oppen. Simplification by cooperating decision procedures. ACM Trans. Prog. Lang. Sys., 1(2): , October Greg Nelson and Derek C. Oppen. Fast decision procedures based on congruence closure. J. ACM, 27(2): , April Derek C. Oppen. Elementary bounds for presburger arithmetic. In Proc. 5th ACM Symp. on Theory of Computing, pages 34 37, Derek C. Oppen. Reasoning about recursively defined data structures. J. ACM, 27(3), July C. R. Reddy and D. W. Loveland. Presburger arithmetic with bounded quantifier alternation. In Proceedings of the 10th Annual Symposium on Theory of Computing, pages ACM Press, Tatiana Rybina and Andrei Voronkov. A decision procedure for term algebras with queues. ACM Transactions on Computational Logic, 2(2): , K. N. Venkataraman. Decidability of the purely existential fragment of the theory of term algebras. J. ACM, 34,2: , 1987.

16 21. Calogero G. Zarba. Combining multisets with integers. In Andrei Voronkov, editor, Proc. of the 18 th Intl. Conference on Automated Deduction, volume 2392 of LNAI, pages Springer, Calogero G. Zarba. Combining sets with integers. In Alessandro Armando, editor, Frontiers of Combining Systems, volume 2309 of LNAI, pages Springer, 2002.

17 A Example 1 Revisited We need to show that LISP lists can be axiomatized by the following axioms. car(cons(x, y)) = x (13) cdr(cons(x, y)) = y (14) Is A (x) Is cons (x) (15) Is A (x) {car, cdr} + (x) = x (16) Is cons (x) cons(car(x), cdr(x)) = x (17) It follows from Proposition 1 that LISP lists is axiomatizable by the following axioms. t(x) x if t is built solely by the constructor cons and t(x) is not x. (18) Is A (x) x cons(y, z) (19) cons(x, y) = cons(x, y ) x = x y = y (20) Is cons (x) y, z(cons(y, z) = x) (21) Is cons (x) Is A (x) (22) car(x) = y z(cons(y, z) = x) ( z 1, z 2 (cons(z 1, z 2 ) x) x = y) (23) cdr(x) = y z(cons(z, y) = x) ( z 1, z 2 (cons(z 1, z 2 ) x) x = y) (24) So it remains to show that (13)-(17) imply (18)-(24). (Proof of (18).) By induction on the structure of t(x). Base Case. Without loss of generality we assume t(x) cons(x, y). Suppose cons(x, y) = x. Applying car and cdr to both sides of the equation and simplifying the results by (13) and (14), respectively, we obtain x = car(x) and y = cdr(x) which imply Is A (x) by (16) and Is cons (x) by (17), contradicting (15). Induction Step. If t(x) is of the form cons(x, t ) (or cons(t, x)), the proof is the same as for the base case. Otherwise, as before, we may assume that t(x) cons(t 1 (x), t ) where t 1 (x) is not identical to x. Suppose cons(t 1 (x), t ) = x. By (13) and (14) we know there exists L {car, cdr} + such that L(x) = x. By (16) we have Is A (x) and car(x) = x. But then cons(t 1 (x), t ) = x implies t 1 (x) = x by (13), contradicting the induction hypothesis. (Proof of (19).) Suppose that Is A (x) and there exists y and z such that x = cons(y, z). Then by (13) and (14) we have y = car(x) and z = cdr(x) which imply Is cons (x) by (17), contradicting (15).

18 (Proof of (20).) (20) can be obtained by first applying car and cdr, respectively, to the both sides of the antecedent cons(x, y) = cons(x, y ) and then doing simplification using (13) and (14). (Proof of (21).) (21) is equivalent to (19) by (15). (Proof of (22).) (22) is just (15). (Proof of (23).) We consider two cases. Case 1: Is A (x). By (16) the left hand side of (23) simplifies to x = y. And by (19) the right hand side of (23) also simplifies to x = y. Case 2: Is cons (x). By (21), (23) simplifies to car(x) = y z(cons(y, z) = x). With Is cons (x) and car(x) = y, (17) gives cons(y, cdr(x)) = x. Take z = cdr(x) we have z(cons(y, z) = x). On the other hand, let z be such that cons(y, z) = x. Then by (13) we have car(x) = y. (Proof of (24).) Similar to the proof of (23).

19 B An Easy Lemma The following lemma is a version of the Euclidean algorithm. Lemma 1. Let d 1,..., d n be positive integers and gcd(d 1,..., d n ) the greatest common divisor of them. Then there exists N d such that for any k N d, gcd(d 1,..., d n ) k N d, if and only if k can be expressed as a non-negative linear combination of d 1,..., d n, that is, there exist non-negative integers x 1,..., x n such that k = n x i d i. i=1 If n = 2, then N d = lcm(d 1, d 2 ), the least common multiple of d 1 and d 2. As an easy consequence, any number of the form N d + gcd(d 1,..., d n ) t (t 0) can be expressed as a non-negative linear combination of d 1,..., d n. However there is no closed-form formula to decide if a number smaller than N d can be put into a non-negative linear combination of d 1,..., d n. Finding the largest such indecomposable number (when gcd(d 1,..., d n ) = 1) is known as Frobenius Coin Problem which is NP-hard.

20 C The Proofs of Complexity Proof of Proposition 2. We show that Φ obtained by Algorithm 3 is expressible in a quantifier-free Presburger formula linear in the size of Φ. Let d 1,..., d n be distinct arities of the constructors in a specific language. Since n and d i (1 i n) are constant values (in a fixed language), it is easily seen that predicates Tree(t), Node α (t, t α ) and Tree α (t) are of constant length (see Section 5). Note that all generalized integer variables has length 1 as we can abstract t to a fresh integer variable v. Though Tree(t) involves quantifiers, by the quantifier elimination of Presburger arithmetic, there exists an equivalent quantifier-free formula with the length at most triple exponential of the length of Tree(t) ([16]). So such an quantifier-free formula is still of constant length. The similar result holds for Tree α (t) and therefore Φ obtained by Algorithm 3 can be expressible in quantifier-free Presburger formula linear in the size of Φ. In fact we don t need to do quantifier elimination at all. We illustrate this for Tree(t). Tree(t) states that t 1 is a non-negative linear combination of d i 1 (1 i n). Let gcd be the greatest common divisor of {d i 1 1 i n}. By Lemma 1 there exists N d such that if t 1 N d, t 1 can assume values of the form N d + k gcd (k 0). Thus, Tree(t) is equivalent to ( t 1 = a) gcd ( t 1 N d). a S where S is some subset of {1,..., N d} and S can be recomputed for a fixed language. Similarly we can obtain a quantifier-free formula equivalent to Tree α (t) without going through the quantifier elimination procedure. Proof of Proposition 3. We show that CNT α k,n(x) is expressible in a quantifierfree Presburger formula that can be computed in time O(n). Assume that L λ has m constructors and let d i (1 i m) be the i th arity. Let f(p) be the number of distinct term trees of length p. For p > 1, we have the following recurrence relation. f(p) = m h=1 i i dh =p d h j=1 f(i j ). (25) The reason is as follows: there are m possible ways to label the root of a tree; for a root with d children whose lengths are i 1,..., i d, respectively, there are d j=1 f(i j) combinations. By dynamic programming, we can compute f(1), f(2),... in the bottom-up fashion. On the way we will find the first l such that f(l) > n and we take CNT k,n (x) be x l. Similarly we can get CNT α k,n(x). Since there are O(p d 1 ) different sequences of positive numbers whose sum is p 1, f(l) can be obtained by O(l d ) arithmetic operations. As f(p) grows exponentially in p, l is at the scale of O(log n). Moreover, as all integers in the computation is less than n, any arithmetic operation costs time O(log n). Therefore the search for such l can be done in O(n). We are almost done except one complication. We say that term trees can grow continuously, if for any tree T, the following conditions are satisfied.

21 1. There is a tree T whose length is the next legitimate tree length greater than the length of T. 2. Such a T can be obtained by expanding a leaf of T one level. It is not hard to see that if trees can grow continuously, then for any legitimate tree length x, x m implies f(x) > n. (This is the case if we have a binary constructor, or all constructors have the same arity.) Therefore CNT α k,n(x) is just x m. If trees can not grow continuously, then it is not true that for any x m, f(x) > n. To see this, let us consider an extreme example; a language with only one atom and with two constructors of arity 4 and 1001 respectively. Let n = f(1000). With no doubt, there are so many distinct trees of length 1000 (constructed using solely the constructor of arity 4), and so n is a very huge number. But there is only one tree of length 1001 simply because 1000 can not be divided by 3 and so such a tree has to be constructed using the constructor of arity So 1000 is the least number such that f(1000) > n 1 while f(1001) << n 1. We should remark that such an anomaly very unlikely happens in practice. However, by Lemma 1 we still have f(x) > n for any So finally CNT α k,n(x) assume the form x m + N d. (x = a) x m + N d, a S where S is a subset of {m,..., m + N d}. Since N d and hence the size of S are constants, we see that CNT α k,n(x) can be computed in O(n). Proof of Proposition 4. We show that Φ obtained by Algorithm 5 is expressible in a quantifier-free Presburger formula and the size of such a formula is quadratic in the size of Φ. By Proposition 3 this amounts to show that the computation of all counting constraints in Φ can be done in quadratic time. Let us call C = {t 1,..., t n } a cluster (w.r.t. Φ) if NEQ(t 1,..., t n ) is in Φ. A cluster C is maximum if any proper superset C of C is not a cluster (w.r.t. Φ). We observe the followings. 1. Since Φ is an equality completion, any term t is in exactly one maximum cluster. It follows that any two distinct maximum clusters are disjoint, the union of all maximum clusters is the set of all terms occurring in Φ and there are at most n maximum clusters. 2. For each maximum cluster {t 1,..., t n }, as t i = t j for 1 i < j n, we only need to add one counting constraint CNT α k,n( t ) for some t {t 1,..., t n }. By Proposition 3 and the above observations, we need at most n counting constrains each of which can be computed in O(n). Therefore, we can obtained Φ in O(n 2 ).

22 D The Proofs of Completeness Proof of Theorem 1. We show that Φ obtained by Algorithm 3 is the induced length constraint of Φ λ. We may assume that the language only has constructors 2. This means that leaf vertices of G λ are labeled either by constants or variables. We say G λ is an extension of G λ if G λ is obtained from G λ by pasting to every variable leaf a well-formed ground term trees. (We need to make sure that the type of a term tree matches the type of the leaf to be replaced.) It is not difficult to see the one-to-one correspondence between variable assignments of Φ λ and extensions of G λ. By Algorithm 3, Φ has the following two properties: 1. for any assignment ν λ of Φ λ, ν λ is a satisfying assignment of Φ. 2. for any satisfying assignment ν of Φ, there is a corresponding data assignment ν such that ν = ν. The soundness of Φ follows immediately from the first property. For completeness let ν and ν be as stated in the second property. (Note that ν may not satisfy Φ λ, otherwise, we are done.) We transform ν in two steps. 1. Let ν be obtained from ν by substituting each atom in terms in ν for a fresh constant. This can be done as B ω has infinitely many atoms. 2. For variables in the same equivalence class we take any arbitrary representative, say z, and assign every other variables in the class ν (z). Let us denote by ν λ the resulting assignment. We claim that ν λ obtained by the above transformation is a satisfying assignment for Φ λ. But before we go into the details of the proof, it is worthwhile to illustrate the above transformation by an example. Example 12. Figure 3 shows the DAG representation of Is cons (x) cons(y, z) = cons(cdr(x), z) car(x) z (26) As in Example 5, the final computed R is {(v 1, v 2 ), (v 3, v 4 ), (v 6, v 7 )}. Before we do the transformation we need to abstract terms car(x) and cdr(x) to fresh variables. Let x 1 = car(x) and x 2 = cdr(x) (where x 1 and x 2 are new variables). Now x = cons(x 1, x 2 ) and then we don t treat it as a variable in the construction of an assignment. Suppose that we take an satisfying integer assignment ν : { x 1 = 1, x 2 = 3, y = 3, z = 1}. Let a possible corresponding data assignment ν be {x 1 = a, x 2 = cons(cons(a, a), a), y = cons(a, cons(a, a)), z = a}. The first step of substitution (of every atom for a fresh constant) will render ν : {x 1 = a 1, x 2 = cons(cons(a 2, b 2 ), c 2 ), y = cons(a 3, cons(b 3, c 3 )), z = a 4 }. Since x 2 and y are in the same equivalence class, the second step will give ν λ : {x 1 = a 1, x 2 = cons(cons(a 2, b 2 ), c 2 ), y = cons(cons(a 2, b 2 ), c 2 ), z = a 4 }. A quick check will convince us that ν λ satisfies (26) (while ν does not). 2 The generalization can be done with variable abstraction of terms solely built by selectors. We will illustrate this in Example 12